cve/published/2022/CVE-2022-49476.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49476: mt76: mt7921: fix kernel crash at mt7921_pci_remove

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 mt76: mt7921: fix kernel crash at mt7921_pci_remove

 The crash log shown it is possible that mt7921_irq_handler is called while
 devm_free_irq is being handled so mt76_free_device need to be postponed
 until devm_free_irq is completed to solve the crash we free the mt76 device
 too early.

 [ 9299.339655] BUG: kernel NULL pointer dereference, address: 0000000000000008
 [ 9299.339705] #PF: supervisor read access in kernel mode
 [ 9299.339735] #PF: error_code(0x0000) - not-present page
 [ 9299.339768] PGD 0 P4D 0
 [ 9299.339786] Oops: 0000 [#1] SMP PTI
 [ 9299.339812] CPU: 1 PID: 1624 Comm: prepare-suspend Not tainted 5.15.14-1.fc32.qubes.x86_64 #1
 [ 9299.339863] Hardware name: Xen HVM domU, BIOS 4.14.3 01/20/2022
 [ 9299.339901] RIP: 0010:mt7921_irq_handler+0x1e/0x70 [mt7921e]
 [ 9299.340048] RSP: 0018:ffffa81b80c27cb0 EFLAGS: 00010082
 [ 9299.340081] RAX: 0000000000000000 RBX: ffff98a4cb752020 RCX: ffffffffa96211c5
 [ 9299.340123] RDX: 0000000000000000 RSI: 00000000000d4204 RDI: ffff98a4cb752020
 [ 9299.340165] RBP: ffff98a4c28a62a4 R08: ffff98a4c37a96c0 R09: 0000000080150011
 [ 9299.340207] R10: 0000000040000000 R11: 0000000000000000 R12: ffff98a4c4eaa080
 [ 9299.340249] R13: ffff98a4c28a6360 R14: ffff98a4cb752020 R15: ffff98a4c28a6228
 [ 9299.340297] FS: 00007260840d3740(0000) GS:ffff98a4ef700000(0000) knlGS:0000000000000000
 [ 9299.340345] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 [ 9299.340383] CR2: 0000000000000008 CR3: 0000000004c56001 CR4: 0000000000770ee0
 [ 9299.340432] PKRU: 55555554
 [ 9299.340449] Call Trace:
 [ 9299.340467] <TASK>
 [ 9299.340485] __free_irq+0x221/0x350
 [ 9299.340527] free_irq+0x30/0x70
 [ 9299.340553] devm_free_irq+0x55/0x80
 [ 9299.340579] mt7921_pci_remove+0x2f/0x40 [mt7921e]
 [ 9299.340616] pci_device_remove+0x3b/0xa0
 [ 9299.340651] __device_release_driver+0x17a/0x240
 [ 9299.340686] device_driver_detach+0x3c/0xa0
 [ 9299.340714] unbind_store+0x113/0x130
 [ 9299.340740] kernfs_fop_write_iter+0x124/0x1b0
 [ 9299.340775] new_sync_write+0x15c/0x1f0
 [ 9299.340806] vfs_write+0x1d2/0x270
 [ 9299.340831] ksys_write+0x67/0xe0
 [ 9299.340857] do_syscall_64+0x3b/0x90
 [ 9299.340887] entry_SYSCALL_64_after_hwframe+0x44/0xae

 The Linux kernel CVE team has assigned CVE-2022-49476 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.12 with commit 5c14a5f944b91371961548b1907802f74a4d2e5c and fixed in 5.17.14 with commit 09693f5b636fb3f6dd56fd943226fc1bbc600b51
 	Issue introduced in 5.12 with commit 5c14a5f944b91371961548b1907802f74a4d2e5c and fixed in 5.18.3 with commit 677e669973bf5460705bc65033445ea9f6615999
 	Issue introduced in 5.12 with commit 5c14a5f944b91371961548b1907802f74a4d2e5c and fixed in 5.19 with commit ad483ed9dd5193a54293269c852a29051813b7bd

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49476
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/wireless/mediatek/mt76/mt7921/pci.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/09693f5b636fb3f6dd56fd943226fc1bbc600b51
 	https://git.kernel.org/stable/c/677e669973bf5460705bc65033445ea9f6615999
 	https://git.kernel.org/stable/c/ad483ed9dd5193a54293269c852a29051813b7bd
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49476: mt76: mt7921: fix kernel crash at mt7921_pci_remove

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	mt76: mt7921: fix kernel crash at mt7921_pci_remove

	The crash log shown it is possible that mt7921_irq_handler is called while
	devm_free_irq is being handled so mt76_free_device need to be postponed
	until devm_free_irq is completed to solve the crash we free the mt76 device
	too early.

	[ 9299.339655] BUG: kernel NULL pointer dereference, address: 0000000000000008
	[ 9299.339705] #PF: supervisor read access in kernel mode
	[ 9299.339735] #PF: error_code(0x0000) - not-present page
	[ 9299.339768] PGD 0 P4D 0
	[ 9299.339786] Oops: 0000 [#1] SMP PTI
	[ 9299.339812] CPU: 1 PID: 1624 Comm: prepare-suspend Not tainted 5.15.14-1.fc32.qubes.x86_64 #1
	[ 9299.339863] Hardware name: Xen HVM domU, BIOS 4.14.3 01/20/2022
	[ 9299.339901] RIP: 0010:mt7921_irq_handler+0x1e/0x70 [mt7921e]
	[ 9299.340048] RSP: 0018:ffffa81b80c27cb0 EFLAGS: 00010082
	[ 9299.340081] RAX: 0000000000000000 RBX: ffff98a4cb752020 RCX: ffffffffa96211c5
	[ 9299.340123] RDX: 0000000000000000 RSI: 00000000000d4204 RDI: ffff98a4cb752020
	[ 9299.340165] RBP: ffff98a4c28a62a4 R08: ffff98a4c37a96c0 R09: 0000000080150011
	[ 9299.340207] R10: 0000000040000000 R11: 0000000000000000 R12: ffff98a4c4eaa080
	[ 9299.340249] R13: ffff98a4c28a6360 R14: ffff98a4cb752020 R15: ffff98a4c28a6228
	[ 9299.340297] FS: 00007260840d3740(0000) GS:ffff98a4ef700000(0000) knlGS:0000000000000000
	[ 9299.340345] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	[ 9299.340383] CR2: 0000000000000008 CR3: 0000000004c56001 CR4: 0000000000770ee0
	[ 9299.340432] PKRU: 55555554
	[ 9299.340449] Call Trace:
	[ 9299.340467] <TASK>
	[ 9299.340485] __free_irq+0x221/0x350
	[ 9299.340527] free_irq+0x30/0x70
	[ 9299.340553] devm_free_irq+0x55/0x80
	[ 9299.340579] mt7921_pci_remove+0x2f/0x40 [mt7921e]
	[ 9299.340616] pci_device_remove+0x3b/0xa0
	[ 9299.340651] __device_release_driver+0x17a/0x240
	[ 9299.340686] device_driver_detach+0x3c/0xa0
	[ 9299.340714] unbind_store+0x113/0x130
	[ 9299.340740] kernfs_fop_write_iter+0x124/0x1b0
	[ 9299.340775] new_sync_write+0x15c/0x1f0
	[ 9299.340806] vfs_write+0x1d2/0x270
	[ 9299.340831] ksys_write+0x67/0xe0
	[ 9299.340857] do_syscall_64+0x3b/0x90
	[ 9299.340887] entry_SYSCALL_64_after_hwframe+0x44/0xae

	The Linux kernel CVE team has assigned CVE-2022-49476 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.12 with commit 5c14a5f944b91371961548b1907802f74a4d2e5c and fixed in 5.17.14 with commit 09693f5b636fb3f6dd56fd943226fc1bbc600b51
	Issue introduced in 5.12 with commit 5c14a5f944b91371961548b1907802f74a4d2e5c and fixed in 5.18.3 with commit 677e669973bf5460705bc65033445ea9f6615999
	Issue introduced in 5.12 with commit 5c14a5f944b91371961548b1907802f74a4d2e5c and fixed in 5.19 with commit ad483ed9dd5193a54293269c852a29051813b7bd

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49476
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/wireless/mediatek/mt76/mt7921/pci.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/09693f5b636fb3f6dd56fd943226fc1bbc600b51
	https://git.kernel.org/stable/c/677e669973bf5460705bc65033445ea9f6615999
	https://git.kernel.org/stable/c/ad483ed9dd5193a54293269c852a29051813b7bd